Date: Tue, 25 Jun 2013 03:03:04 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Jeremy Chadwick <jdc@koitsu.org> Cc: freebsd-stable@FreeBSD.org, d@delphij.net Subject: Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks) Message-ID: <51C8EC48.1000807@quip.cz> In-Reply-To: <20130624225034.GA8873@icarus.home.lan> References: <51C4DBFE.1010809@quip.cz> <51C4F5D4.6000802@delphij.net> <51C8C400.7080009@quip.cz> <51C8C9E8.9050507@delphij.net> <20130624225034.GA8873@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Chadwick wrote: > On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> On 06/24/13 15:11, Miroslav Lachman wrote: >> [...] >>> The patch seems really simple and I know how to apply it, but I am >>> not able to compile and install only fixed sftp command instead of >>> the whole userland. Can you push me to the right direction? >> >> I think you can go to /usr/src/secure/usr.bin/sftp and do: >> >> make depend >> make >> >> Then, as root: >> >> make install Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp I tried your patch and can confirm it works for me! >> I usually do a full world build to make sure that this doesn't break >> something else but this change should only affect sftp(1). > > I'm going to make this real simple: > > Is the problem with symlinks in the client (sftp(1)), in the server > (sftp-server(8)), or both? The impression I get from the original post > that started this thread is that it's in the server part. No, it is the problem on the client side. The server side in all cases is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp client is broken and this bug is really fixed by patch provided by Xin Li. We tried OpenSSH 6.2 client side from Mac OS X and it is broken too. The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1) > So, I believe he'd want to poke about in src/secure/libexec/sftp-server. > However, that may not be enough, due to the fact that sftp-server(8) > depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do > not know where the actual broken code lies. > > Someone on -security might know exactly what all needs to be built/what > commands need to be run, but I will tell you this up front: > > The official security announcements for SSL or SSH-related things have > historically told people to build world. I went and read the mailing > list archives for -security-announcements and found proof/examples of > this fact when issues pertain to SSL or SSH. > > My recommendation is just to build world. Don't risk it -- this is a > key piece of your system, all you're trying to do is save some time. > Don't. Just build/install world and don't screw around. I understand your concern and I will rebuild world if the patch changes anything in the server part, but this is realy just a fix in sftp client command and I want to try it quickly and to have a quick path to go back to original version of the sftp command. This is on testing machine anyway, I will not do this on production machines. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51C8EC48.1000807>